PXP-6412 Feat/auth mapping #93
Conversation
src/server/auth/arboristClient.js
Outdated
| resources: [], | ||
| }; | ||
| Object.keys(result).forEach((key) => { | ||
| if (result[key] && result[key].some((x) => x.method === 'read')) { |
There was a problem hiding this comment.
i think you also need to handle method: '*'
could you include that in the test as well?
There was a problem hiding this comment.
back to this comment, for method: '*' should we also check for service?
this section
{ "service": "indexd", "method": "*" }
will makes the project be accessible but it should not, right?
There was a problem hiding this comment.
oof, good question... right now we use "read on all services" when we grant read access, but we shouldn't assume that's the case
i guess we should check for sheepdog, peregrine or *
but then we have the same problem in windmill https://github.com/uc-cdis/data-portal/blob/2020.07/src/authMappingUtils.js#L63
There was a problem hiding this comment.
Right, so for portal now we are not checking read for each projects specifically. So in the submission page you will see a project name with Browse Data button show up even if you don't have read access to that project. But if you click that button you will see nothing (before the 404 redir) or be redirected to 404 page.
But we can make some improvements to windmill so it won't display the project in submission table if you don't have access
There was a problem hiding this comment.
mm i thought that was already the case
There was a problem hiding this comment.
mm i thought that was already the case
yeah you are right
There was a problem hiding this comment.
yeah i think either sheepdog or peregrine should be fine...
but then why not have "guppy" or "mds" or anything else that lets you read data 🤦
There was a problem hiding this comment.
actually i'm starting to think we should just check "service=guppy or *"
There was a problem hiding this comment.
actually i'm starting to think we should just check "service=guppy or *"
this actually sounds reasonable to me, even if you have access to peregrine or sheepdog doesn't mean you will be granted with access to guppy.
There was a problem hiding this comment.
right, and it won't break anything we currently do, since we just grant read access to all services
|
maybe this change should be considered a breaking change? |
hmmm... idk The |
|
right, but you're going from being able to see all the data you have any access to, to only being able to see the data you have "read" access to |
src/server/auth/arboristClient.js
Outdated
| // logic: you have access to a project if you either | ||
| // 1. have 'read' access to a project resource | ||
| // or | ||
| // 2. have '*' access to service 'guppy' or service '*' | ||
| if (result[key] && result[key].some((x) => x.method === 'read' | ||
| || (x.method === '*' && (x.service === 'guppy' || x.service === '*'))) | ||
| ) { |
There was a problem hiding this comment.
the logic should be: you have access to a project if you have the following access: method 'read' (or '*' - all methods) to service 'guppy' (or '*' - all services) on the project resource.
so i think something like this?
if (result[key] && result[key].some((x) =>
(x.method === 'read' || x.method === '*')
&& (x.service === 'guppy' || x.service === '*')
)) {
There was a problem hiding this comment.
true! i'll update, thanks for the suggestion
Fulfills https://ctds-planx.atlassian.net/browse/PXP-6412
Deployed in: https://mingfei.planx-pla.net/ (should not see obvious changes)
Improvements
/auth/resourcesendpoint to/auth/mappingand filter out accessible list base onreadaccessBreaking Changes
read(or*- all methods) to serviceguppy(or*- all services) on that project resource. (previously they can see/query all the data if you any types of access to them)